From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 17 Dec 2017 12:55:48 +0100
Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute
 arbitraty code)

---
 wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index 091d6823..fca4900f 100755
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -1780,7 +1780,7 @@ sub Read_Config {
 		}else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}}
 	}
 	
-		#CL - Added to open config if full path is passed to awstats 
+	#CL - Added to open config if full path is passed to awstats 
 	if ( !$FileConfig ) {
 		
 		my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
@@ -2205,7 +2205,10 @@ sub Parse_Config {
 		}
 
 		# Plugins
-		if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; }
+		if ( $param =~ /^LoadPlugin/ ) {
+			$value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g;		# Sanitize plugin name and string param because it is used later in an eval.
+			push @PluginsToLoad, $value; next; 
+		}
 
 	  # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra
 		if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; }
@@ -3251,7 +3254,7 @@ sub Read_Plugins {
 						}
 						my $ret;    # To get init return
 						my $initfunction =
-						  "\$ret=Init_$pluginname('$pluginparam')";
+						  "\$ret=Init_$pluginname('$pluginparam')";		# Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin'
 						my $initret = eval("$initfunction");
 						if ( $initret && $initret eq 'xxx' ) {
 							$initret =
@@ -17140,7 +17143,10 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) {    # Run from a browser as CGI
 	# No update but report by default when run from a browser
 	$UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 );
 
-	if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
+	if ( $QueryString =~ /config=([^&]+)/i ) { 
+		$SiteConfig = &Sanitize("$1");
+		$SiteConfig =~ s/\.\.//g; 		# Avoid directory transversal
+	}
 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
 		$PluginMode = &Sanitize( "$1", 1 );
@@ -17227,7 +17233,10 @@ else {                             # Run from command line
 	# Update with no report by default when run from command line
 	$UpdateStats = 1;
 
-	if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
+	if ( $QueryString =~ /config=([^&]+)/i ) { 
+		$SiteConfig = &Sanitize("$1"); 
+		$SiteConfig =~ s/\.\.//g; 
+	}
 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
 		$PluginMode = &Sanitize( "$1", 1 );
-- 
2.15.1

